hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bernd <e...@zusammenkunft.net>
Subject TrustStrategy - is chain[0] always the server certificate in the chain?
Date Mon, 21 Mar 2016 13:21:21 GMT
Hello,

I am writing a TrustStrategy which is processing http.spki-pinning. I have
one strategy instance per fingerprint (and use it only for one host).

The isTrusted(chain, authType) method will return a CertificateException
when the PIN is wrong, and it will "return false" when the pin is correct
(defering all other checks to the system trust manager).

I wonder now, is it guranteed that chain[0] contains the server certificate
which is actually used for the handshake? The Javadoc only says "peer
certificate chain" with no further description what can be dependent upon.

In my special case the TrustStrategy is also executed before the
TrustManager, does this mean I do need to do some more checks to make sure
I actually verify the server certificate and not intermediate or excessive
certificates?

Using httpclient:4.5

like this:

HttpClientBuilder builder = HttpClients.custom();
builder.disableCookieManagement();
builder.disableAuthCaching();
builder.disableRedirectHandling();
TrustStrategy pinnedCertTrust = new PinnedCertTrust("e93..");
SSLContext sslcontext =
SSLContexts.custom().useProtocol("TLSv1.2").loadTrustMaterial(pinnedCertTrust).build();
SSLConnectionSocketFactory sslsf = new
SSLConnectionSocketFactory(sslcontext, new String[] { "TLSv1.2" }, null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
builder.setSSLSocketFactory(sslsf);
CloseableHttpClient client = builder.build();


Gruss
Bernd

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message